Row based permissions: at DB or at Application level?

From: Thomas Güttler <guettliml(at)thomas-guettler(dot)de>
To: pgsql-general(at)postgresql(dot)org
Subject: Row based permissions: at DB or at Application level?
Date: 2017-07-25 09:40:03
Message-ID: e662fd8a-6001-514c-71e8-01718444f338@thomas-guettler.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

I am thinking about rewriting an existing application which uses PostgreSQL via Django (ORM and Web-Framework written in
Python).

Up to now the permission checks are done at the application level.

Up to now queries like: "Show all items which the current user is allowed to modify" result in complicated SQL and
this leads to slow queries.

Up to now there is one db-user and the application does the filtering of rows to prevent application users to see
items which they are not allowed to see.

I guess most web applications work like this.

I would like to reduce the "ifing and elsing" in my python code (less conditions, less bugs, more SQL, more performance)

How could an application which gets written from scratch use PostgreSQL to implement
row based permissions?

Regards,
Thomas Güttler

--
Thomas Guettler http://www.thomas-guettler.de/

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Daniel Westermann 2017-07-25 09:56:29 Re: Row based permissions: at DB or at Application level?
Previous Message Adam Šlachta 2017-07-25 09:32:35 How to get transaction started always in WRITE mode.